CVE Catalog

CVE-2026-10649

HighCVSS 8.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.52%

40th percentile - higher than 40% of all known CVEs

Summary

A flaw was found in Pacemaker where an integer overflow occurs during remote message decompression. An unauthenticated attacker can send a crafted compressed message before authentication, causing memory corruption and a denial of service (DoS) in the CIB remote listener.

Risk Assessment

This attack can crash the Pacemaker service, potentially disrupting cluster operations and causing downtime for critical applications.

Recommendation

Immediately update Pacemaker to a patched version. Until then, restrict access to the CIB interface to trusted networks only.

Original NVD description (English source)

A flaw was found in Pacemaker. An unauthenticated remote attacker can exploit an integer overflow vulnerability in the remote message decompression process. By sending a specially crafted compressed remote message before authentication, an attacker can cause memory corruption, leading to a denial of service (DoS) in the CIB remote listener. This can result in the affected service crashing.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS